计算机工程与应用 ›› 2014, Vol. 50 ›› Issue (5): 74-78.

• 网络、通信、安全 • 上一篇    下一篇

防御DDoS攻击的包标记联合部署方案

黄鲁娟1,3,金  光1,3,何加铭2,3,江先亮1   

  1. 1.宁波大学 信息科学与工程学院,浙江 宁波 315211
    2.宁波大学 通信技术研究所,浙江 宁波 315211
    3.浙江省移动网应用技术重点实验室,浙江 宁波 315200
  • 出版日期:2014-03-01 发布日期:2015-05-12

DDoS defense with jointed deployment of IP traceback and path identification

HUANG Lujuan1,3, JIN Guang1,3, HE Jiaming2,3, JIANG Xianliang1   

  1. 1.College of Information Science and Engineering, Ningbo University, Ningbo, Zhejiang 315211, China
    2.Institute of Communication, Ningbo University, Ningbo, Zhejiang 315211, China
    3.Key Laboratory of Mobile Internet Application Technology of Zhejiang Province, Ningbo, Zhejiang 315200, China
  • Online:2014-03-01 Published:2015-05-12

PDF

摘要: 提出了一种新的结合确定包标记和路径标识的方案,其在源边界路由器以概率形式选择执行确定性包标记或路径标识。该方案以下游网络拥塞程度和路径追溯结果为依据,动态调整数据包标记操作,并在受害主机处根据不同的标记策略采取不同的防御措施。基于大规模权威因特网拓扑数据集的仿真实验表明,该方案防御效果较好,能有效减轻受害主机遭受DDoS攻击的影响。

关键词: 网络安全, 布式拒绝服务攻击, 确定分组标记, 路径标识

Abstract: A novel idea jointed deterministic packet marking and path identification is proposed. In this scheme, source border routers mark packets with either deterministic packet marking or path identification in the form of probability. Based on downstream network congestion tolerance and IP traceback consequence, routers dynamically adjust the proportion of package marking. Then the victim takes different actions according to different marking content. The results of large-scale simulations with Skitter, authoritative Internet topologies dataset, show the scheme is effective to defend DDoS attack, and alleviate attack impacts on the victim.

Key words: networks security, Distributed Denial of Service(DDoS) attacks, Deterministic Packet Marking(DPM), Path identification(Pi)

京ICP备13024262号-1
Copyright © 《计算机工程与应用》编辑部
技术支持:北京玛格泰克科技发展有限公司
总访问量
今日访问
在线人数